malwarewikiaorg-20200223-history
Mirror
Virus.DOS.Mirror is a memory resident parasitic virus on DOS. There are 8 variants in 4 versions, represented by the following: * Virus.DOS.Mirror.482.a * Virus.DOS.Mirror.924 * Virus.DOS.Mirror.1056 * Virus.DOS.Mirror.4130 Behavior Mirror.482.a and 482.c These are dangerous variants, it hooks INT 21h and infects DOS executable files that are run, but not every time an executed program will be infected. Mirror.924 This is a polymorphic variant, it infects every EXE executable file in current directory when run. Programs infected by it might hang the system when they are run. The infection size varies in different files. Mirror.1056 and 1056.b These are polymorphic variants, they hook INT 21h to infect any EXE executable file that is run, but not every time an executed program will be infected. The infection size varies in different files. Mirror.4130 and Mirror.a These are polymorphic stealth variants, they infect all COMMAND.COM and temporary infect all other executable in any directory to infect when run. The infection size varies in different files and may cause an allocation error upon CHKDSK. The virus behaves stealthy that no observable memory usage can be observed, but the infection size is visible. On file listing the temporary infected files will have size change, and on copying these files the virus inserts itself to the new file. The virus does not really infect files other than COMMAND.COM, when the virus stays memory, every executable in any drive and even CD-ROMs would be shown to have infected. If it is unloaded from memory, the files will get restored. Mirror.b This is a stealth variant, it infects COMMAND.COM only and may cause a memory allocation error after infection, the file infected by this variant may fail to execute and hang the system when run. The infection size is 1,384 bytes. Memory usage The following table shows the memory usage of the variants. Payload Mirror.482.a and 482.c These variants activate by instant after being loaded into memory. The virus flashes the characters from left to right insanely, and it also writes a trojan code into MBR. If the user resets the computer, the hard drive will be formatted. On some systems, the text will correctly be mirrored, and a loud buzzing sound can also be heard. Mirror.924 This variant hooks INT 8 to reverse the characters on screen, but it seems not to activate. Mirror.1056 and 1056.b These variants hook INT 8 after being loaded into memory, they turn all the characters on screen into garbage, making it unreadable. This period lasts for about 2 minutes and then the screen may turn back to normal, and then about 2 minutes later it turn the characters into garbage again, as long as the virus stays in memory. Mirror.4130, Mirror.a and b These variants do not manifest themselves. Other details Mirror.924 contains the internal text strings and the name of the infected file: ????????EXE *.EXE Mirror.1056 contains the internal text string: Mirror Mirror.4130, Mirror.a and b contain the internal text string: [ Mirror: Bit Addict / TridenT ] COMSPEC= References #List of variants of the Mirror virus on VX Heaven Media Category:DOS Category:DOS virus Category:Virus Category:TSR Category:Assembly